Foreword:
There are many CTF competitions recently. For friends who want to learn or participate in CTF competitions, CTF tools and practice shooting ranges are essential. Today I will share with you the CTF resources I have collected, hoping to be helpful to you.
CTF online tool
First of all, I would like to recommend the 3 CTF online tool websites that I use frequently.
1. CTF Online Toolbox: http://ctf.ssleye.com/ contains coding, encryption and decryption, and algorithms commonly used in CTF competitions.
2. CTF encryption and decryption toolbox: http://www.atoolbox.net/Category.php?Id=27
3. ctfhub online tools: https://www.ctfhub.com/#/tools
CTF shooting range
Then recommend my usual shooting range
1. Online shooting range
BugKu (simple, recommended for beginners, and online tools) https://ctf.bugku.com/index.html
CTFhub shooting range (including past competition questions) https://www.ctfhub.com/#/index
CTFshow shooting range (more questions) https://ctf.show/challenges
Network Attack and Defense World (very good website, but always maintained) https://adworld.xctf.org.cn/
CTFwiki (including various knowledge points of CTF, dedicated for literacy) https://ctf-wiki.org/misc/recon/
BUUCTF (recommended, but not suitable for beginners) https://buuoj.cn/
i Chunqiu (recommended, as well as the vulnerability reproduction environment) https://www.ichunqiu.com/competition
xctf (well-known) https://adworld.xctf.org.cn/
OJ of Zhejiang University (recommended for getting started with pwn) https://www.jarvisoj.com/
2. Build your own shooting range
- SQLI-LABS proprietary shooting range
Contains most of the types of sql injection, and uses a breakthrough mode to exploit vulnerabilities for sql injection
Download address https://github.com/Audi-1/sqli-labs
- DVWA Proprietary Range
Recommended shooting range for beginners. The purpose of DVWA is to practice some of the most common web vulnerabilities through an easy-to-use interface. These vulnerabilities have different difficulties. It is a comprehensive target machine covering a variety of vulnerabilities.
https://github.com/ethicalhack3r/DVWA
- OWASP Range
The shooting range is a shooting range specially developed by OWASP for web security researchers and beginners, including a large number of training experiment environments and real web applications with known security vulnerabilities;
After the shooting range is downloaded from the official website, it is an integrated virtual machine, which can be opened directly in the vm, and the physical machine can access the ip to access the web platform. If you log in with root owaspbwa, you will return to the shooting range address, and you can directly access the shooting range. dvwa is suitable for understanding vulnerabilities and simple exploits, while owaspbwa is closer to the actual complex business environment.
Download address: https://sourceforge.net/projects/
-
DSVW shooting range
Damn Small Vulnerable Web (DSVW) is a web application vulnerability exercise system developed in Python language. Its system consists of only one python script file, which covers 26 kinds of web application vulnerability environments, and the number of lines of script code is controlled within 100 lines. The current version is v0.1m. Requires python (2.6.x or 2.7) and the lxml library installed.
Download address: git clone https://github.com/stamparm/DSVW.git
-
WebGoat Range
WebGoat is a Java shooting range program developed by OWASP for web vulnerability experiments to illustrate security vulnerabilities in web applications. WebGoat runs on a platform with a java virtual machine, and currently provides more than 30 training courses, including: cross-site scripting attack (XSS), access control, thread safety, operating hidden fields, manipulating parameters, and weak session cookies , SQL blind injection, numeric SQL injection, string SQL injection, web services, Open Authentication failure, dangerous HTML comments, etc. WebGoat provides a series of web security learning tutorials, and some courses also give video demonstrations to guide users to use these vulnerabilities to attack.
The GitHub address is: https://github.com/WebGoat/WebGoat
-
XVWA shooting range
Xtreme Vulnerable Web Application (XVWA) is a shooting range written in PHP/MySQL, which can help beginners quickly learn safe posture.
https://github.com/s4n7h0/xvwa
-
Pikachu Shooting Range
An interesting web security vulnerability testing platform, similar to DVWA, but it looks clearer than the former (in Chinese), with a simple vulnerability page, not so monotonous.
Project address: github.com/zhuifengshao
-
Vulnhub Range
Vulnhub is a shooting range platform that provides a variety of vulnerability environments for security enthusiasts to learn and use. Most of the environments are virtual machine image files. The images are pre-designed with various vulnerabilities and need to be run with VMware or VirtualBox. Each image will have a cracking target, mostly Boot2root, from starting the virtual machine to obtaining the root authority of the operating system and viewing the flag.
Download link https://download.vulnhub.com/breach/Breach-1.0.zip